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Abstract Recently, a chaotic image encryption algo- 
rithm based on perceptron model was proposed. The 
present paper analyzes security of the algorithm and 
finds that the equivalent secret key can be reconstructed 
with only one pair of known-plaintext / ciphertext, which 
is supported by both mathematical proof and experi- 
ment results. In addition, some other security defects 
are also reported. 
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1 Introduction 

The usage of chaos for image encryption has been re- 
ceived intensive attention in the past decade. This is 
mainly spurred by the following three points: 1) in- 
creasing importance of security of image data as it is 
transmitted over all kinds of networks with a more and 
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more higher frequency; 2) low efficiency of the tradi- 
tional text encryption algorithms like DES with respect 
to protecting image data due to some intrinsic features 
of images such as bulk data capacity, high redundancy, 
strong correlation among adjacent pixels, etc; 3) some 
fundamental features of the chaotic dynamical systems 
such as ergodicity, mixing property, sensitivity to initial 
conditions/system parameter can be considered anal- 
ogous to some ideal cryptographic properties such as 
confusion, diffusion, avalanche properties. According to 
the record of Web of Science, more than five hundreds 
of articles on chaos-based image encryption algorithms 
have been published in the past fifteen years [3]. Some 
other related papers consider video, audio (speech) or 
text as encryption objects [4ll5llT7]. 

Roughly speaking, the usage of chaos in designing 
digital symmetric encryption algorithms can be catego- 
rized as three classes: 1) creating position permutation 
relations directly or indirectly; 2) generating pseudo- 
random bit sequence (PRBS) controlling composition 
and combination of some basic encryption operations; 
3) producing ciphertext directly by assigning plaintext 
as initial conditions or control parameters of a chaos 
system. As native opposite of cryptography, some crypt- 
analysis work was also developed and some chaos-based 
encryption algorithms are found to be not secure of 
different extents from the viewpoint of modern cryptol- 
ogy [T]|2]l5]fT^18ll20) . Due to owning complex dynamical 
properties, artificial neural network was combined with 
chaos to design symmetric and public encryption algo- 
rithms [51[71 [T51[H1[^ . Unfortunately, some of them are 
found to be equivalent to much simper form in terms 
of essential structure and can be broken easily [10l[Tl] . 

In |19j , a chaotic image encryption algorithm based 
on perceptron model, a type of artificial neural network 
invented in 1957, was proposed, where two PRBSs, gen- 
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erated from quantized orbit of Lorenz system under 
given secret key, is used to control the perceptron model 
to output cipher-image from the input of plain-image. 
However, we proved that the seeming complex image 
encryption algorithm is equivalent to a stream cipher 
of exclusive or (XOR) operation. So, it can be easily 
broken with only one pair of plain-image and cipher- 
image. In addition, some other security defects about 
secret key, insensitive of cipher-image with respect to 
plain-image and low randomness of the used PRBS are 
reported. 

The rest of the paper is organized as follows. The 
next section briefly introduces the proposed image en- 
cryption algorithm. Section |3] presents detailed crypt- 
analysis on the encryption algorithm with experiment 
results and some other security defects. The last section 
concludes the paper. 



2 The proposed image encryption algorithm 

The plaintext encrypted by the image encryption algo- 
rithm under study is a gray-scale digital image. With- 
out loss of generality, the plaintext can be represented 
as a one-dimensional 8-bit integer sequences P = {pn}n=o 
by scanning it in a raster order. Correspondingly, the 
ciphertext is denoted by P' = {Pn}n=o- The kernel of 
the encryption algorithm is based on a threshold func- 
tion 



1, ifx>0, 
0, otherwise. 



which was considered by the proposers as simple vari- 
ant of a single layer perceptron model who inputs m 
variables, sq^ si, - ■ ■ , Sm-i, and outputs m ones by cal- 
culating 



Lorenz system 

'k — ay ~ ax, 
y — cx — xz - 
z = xy — bz, 



(1) 



under fixed control parameters (a, b, c) = (10, |, 28). 
The initialization procedures: 

1) in double-precision floating-point arithmetic, solve 
the Lorenz system ([T]) with the fourth-order Runge- 
Kutta method of step h iteratively 3001 times from 
(xQ,yg,Zo) and obtain the current approximation 
state {xo,yo,zo) . 

2) run the above solution approximation step seven 
more times from the current approximation state to 
get {(xj , y^ , Zj )}J^i, and set 



and 



1, if {xj — x)/{x — x) > 0.5, 
— 1, otherwise. 



-1, 



otherwise, 



y) > 0.5, 



fo 



= 0^7, where x = max({a:j}^^Q), x 



min({a;j}J=o)' V = max({yj}J^o), y = min({?/j}J^o). 
3) reset the current approximation state of the Lorenz 
system as 



xn=x + (a;8 -x)\Y. {wj + 1) • 2^-1 ® r /256, 

yo^y + {yB~y){ jz{w, + 1) • 2^-1 © r\ /256, 



m-1 \ 

0, otherwise. 



where Wij denotes the weight of the i-th input for the 
j-th neuron, Oi is the threshold of the i-th neuron, and 
i = ~ TO — 1. With these preliminary introduction, 
the image encryption algorithm under study can be de- 
scribed as followfl 

— The secret key: initial state (xg, j -^o) ^'^d the step 
length h of an approximation method solving the 

^ To make the presentation more concise and complete, 
some notations in the original paper | 19 | are modified, and 
some details about the algorithm are also amended under the 
condition that its security property is not infiuenced. 



where r = [(zg — \_zs\) ' 256J. 

4) repeat the above two steps — 1 times and get 
two sequences {wk}^^^^^ and {wk}^^^ ■ 
The encryption procedure: for the n-th plain- byte 
Pn — X]I=o^'"■^'^^ obtain the corresponding cipher- 
byte K = ELo Pn,i • 2' by calculating 



y _ I f{p7i,iWk + CkWk - Ok), iiwk^l, 
1 f{PnAWk - CkWk + 6k), otherwise. 



where Ck = -Wk/2, Ok = ((wfe + 1)/2) © ((wfe + 1)/2) 
and k — 8 ■ n + i. 

The decryption procedure is the same as the encryp- 
tion one except that the locations of Pn,i and p'^ ^ in 
the encryption function ^ are swapped. 
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3 Cryptanalysis 

3.1 Known-plaintext attack 

It is well-known that any detail of an encryption al- 
gorithm, except the secret key, should be public. This 
is called Kerckhoffs's principle, which was reformulated 
by Claude Shannon as Shannon's maxim, "The enemy 
knows the algorithm." Under this principle, the known- 
plaintext attack is a cryptanalysis model where the at- 
tacker can access some samples of both the plaintext, 
and the corresponding ciphertext (encrypted version). 
The objective of the model is to reveal some (even all) 
information about the secret key, which is then used 
to decrypt other ciphertext encrypted with the same 
secret key. Note that feasibility of the known-plaintext 
attack is based on repeated usage of secret key, namely 
impracticability of one-time pad, which is caused by 
the following three problems: 1) impossibility of soft- 
ware source of perfectly random bits; 2) secure gen- 
eration and exchange of the one-time pad material of 
not shorter length than that of the plaintext; 3) com- 
plex secret key management preventing the secret key 
is reused in whole or part. 

Strength of any encryption algorithm against the 
known-plaintext attack is one of the most important 
factors evaluating its security. Unfortunately, we found 
that the image encryption algorithm under study can 
be broken with only one pair of plaintext and the cor- 
responding ciphertext. 

Theorem 1 For n = Q ^ N — 1 and i = 7, 



PnA 



Pn,i, otherwise, 



(3) 



where k = 8n + i, x = (a: © 1). 

Proof To proof the theorem, we study the four possible 
combination of {wk,Pn,i) as follows. 

- {wk,Pn,i) (1, 1): 

PnA = liPn.i ■ Wk + Ck ■ Wk - Ok) 

= /(I + (-1/2) • Wk - Ok) 
^ f/(l- 1/2-0), if5ife-l, 
[/(I + 1/2-1), otherwise 

= /(1/2) 
= 1. 



{wk,Pn,i) = (1,0): 

P'n,t = fiPn.i -Wk+Ck-Wk 



%) 



^ J{Q+ {-1/2) -Wk- Ok) 

^ f/(0- 1/2-0), iiwk^l, 
\/(0+ 1/2-1), otherwise 

= /(-l/2) 
= 0. 

{Wk,Pn,i) = (-1, 1): 

P'n,i = f{Pn,i ■ Wk - Ck ■Wk+ Ok) 
= f{-l- 1/2- Wk+ Ok) 

^ f/(-l- 1/2+1), if^«fe = l, 
|/(-l + 1/2 + 0), otherwise 

= ./(-1/2) 
= 0. 

{wk,Pn,i) = (-1,0): 

P'n,^ = fiPn.i ■ Wk - Ck ■ Wk + Ok) 
^ f{0- 1/2- Wk+ Ok) 

^ f/(0- 1/2 + 1), ifwk = l, 
j/(0+ 1/2 + 0), otherwise 

= /(1/2) 
= 1. 

Combining the above four cases, one has 



Pn,: 



1, if PnA = 1 and Wk 

0, if PnA = and Wk 

0, if pna = 1 and Wk 

1, if p„^j = and Wfc 



which means 

\pn,i, if Wfc = 1, 



Pn, 



\Pn,i, otherwise. 



Thus, the theorem is proved. □ 
Observe Theorem [U one has 

P'n,t^Pn,z®w'f., (4) 

where w'f. — {wk + l)/2. From Eq. (g]), one can get 

(PnSiPn) = Vn, 

where rjn — J2i=o '^'sn+i ' 2' and n = ^ — 1. For any 
another cipher- image Q' = {q'n} n=o encrypted with the 
same secret key, one can easily reveal the corresponding 
plain- image Q = {qn} n=o calculating 

qn=q'n® Vn 
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for n = '-^ — 1, which means H = {rjn}n=a can 
work as equivalent secret key. 

To verify performance of the above attack, some 
experiments were made. Figure [T] shows a plain-image 
"Lenna" of size 512x512 and the encryption result with 
the secret key (xq , 2/0 > -^^o ) = (IjIjO)j and h = 10~^. 
A mask image H is constructed by XORing datum 
of Fig. [T^) and Fig. [T|d) byte by byte, and shown in 
Fig. [2^). The mask image is then used to decrypt an- 
other cipher-image shown in Fig. [2}d) and the result is 
shown in Fig. which is identical with the original 
plain-image "Baboon" . 




Fig. 1 One known plain-image and the corresponding cipher- 
image: a) known plain-image "Lenna", b) cipher-image of 

Fig. [IK). 




b) c) 



Fig. 2 Known-plaintext attack: a) the mask image H, b) 
cipher-image of plain-image "Baboon", c) the recovered im- 
age of Fig.Et). 



3.2 Some other security defects 

In this subsection, we further report some other security 
defects of the image encryption algorithm under study. 

— Low sensitivity with respect to change of plain-image 
If encryption results of an encryption algorithm are 
not sensitive to change of plaintext in a significant 
degree, the attacker can make predictions about the 
plaintext from the given ciphertext only. The de- 
sirable property of encryption algorithm is called 
avalanche effect in field of cryptography. The prop- 
erty is even more important for image encryption 
algorithms since image datum and its watermarked 
versions, generally slight modified versions of the 
original ones, are encrypted often at the same time 
and stored at the same place. The avalanche effect 
is quantitatively measured by how every bit of ci- 
phertext is changed when only one bit of plaintext 
is modified. As for the image encryption algorithm 
under study, change of one bit of plain-image can 
only influent one bit of the same location in the 
corresponding ciphertext, which disobeys expected 
property of a secure encryption algorithm very far. 

— Insufficient randomness of the two used PRBSs 
The complex dynamical properties of chaos systems 
demonstrated in continuous domain make they are 
considered as good generation source of PRBS. How- 
ever, chaos systems can not do the expected things 
in general since their dynamical properties will def- 
initely degenerate in digital domain, where every- 
thing is stored and calculated in limited precision 
|12j . In addition, some chaos systems need numeri- 
cal approximation, the used simulation methods and 
related parameters will have different influences on 
degradation of the dynamical properties of the chaos 
system also. As for the image encryption algorithm 
under study, trajectory of Lorenz system is contin- 
uous, which means that any two consecutive simu- 
lated states are always correlated in a high degree. 
As a consequence, the bits derived from neighboring 
states will also be correlated closely. Furthermore, 
the smaller the step length h is, the stronger the 
correlation will be 0. Meanwhile, the value of h 
should be small enough since the accumulated error 
of the fourth-order Runge-Kutta method is 0{h'^). 
So, step length h should not be used as a sub-key 
since its valid scope can not be defined clearly. To 
verify this point, we employed the NIST statistical 
test suite to test the randomness of 100 binary 
sequences of length 512^512 x 8 = 2, 097, 152 bits 
(the number of bits in {w'^} used for the encryption 
of 512x512 gray-scale images). Note that the 100 bi- 
nary sequences are generated by randomly selected 
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initial conditions {xq^Uq, Zq) and a given step lengtli 
h. For each test, the defauh significance level 0.01 
was adopted. The passing rates in terms of binary 
matrix rank test, calculating the rank of disjoint 
sub-matrices of the entire sequence, under different 
values of step length h are shown in Fig. [31 which 
agree with the estimation. We found that the PRBSs 
generated by the method used in the image encryp- 
tion algorithm under study can not pass most tests 
in the test suite even for the step length h under 
which the rank test can be passed. When h — 0.1, 
the test results are shown in TabledJ from which one 
can see that the used pseudo-random bit generator 
is not a good source of PRBS. 



4 Conclusion 

In this paper, the security of a chaotic image encryption 
algorithm based on perceptron model has been investi- 
gated in detail. The seeming complex encryption algo- 
rithm was proved to be equivalent to a stream cipher 
essentially, and so it can be broken with only one pair 
of known-plaintext /ciphretext. In addition, some other 
security defects of the encryption algorithm, including 
insensitivity with respect to change of plain-image and 
low randomness of PRBS used are also reported. In all, 
this cryptanalysis paper shows us again that security of 
an encryption algorithm should be mainly built on good 
essential structure of the whole encryption operations 
instead of so-called complex theories. 



0.05 0.06 0.07 O.Oa 0.09 0.1 

ft 



Fig. 3 Passing rate of the rank test under different values of 
step length h. 



Table 1 The performed tests with respect to a significance 
level 0.01 and the number of sequences passing each test in 
100 randomly generated sequences. 



Name of Test 


Number of Passed Sequences 


Frequency 


93 


Block Frequency (m = 128) 


100 


Cumulative Sums-Forward 


94 


Runs 





Rank 


100 


Serial (m = 16) 





Spectral Test 





Random Excursions (x=l) 





Approximate Entropy (m = 





10) 




Longest Runs of Ones 





(m=10000) 




Non-overlapping Template 





{m = 9, B = 000000001) 
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